Welcome to DAMdaryl (“DAMdaryl,” “we,” “us,” or “our”). We are committed to protecting your privacy and being transparent about how we collect, use, and share your personal information. This Privacy Policy explains our data practices for the DAMdaryl platform, website (damdaryl.ai), and related services (collectively, the “Services”).
DAMdaryl is a brand-aware digital asset management (DAM) platform that helps creators, marketing teams, and agencies organize, analyze, and search their visual content libraries using AI-powered tools and an intelligent creative assistant named “Daryl.”
By accessing or using our Services, you agree to this Privacy Policy. If you do not agree with our practices, please do not use the Services.
For business customers: If you have entered into a separate Data Processing Agreement (DPA) with DAMdaryl, the terms of that DPA govern our processing of personal data on your behalf and supplement this Privacy Policy.
1. Information We Collect
1.1 Information You Provide to Us
Account Information:
- Email address (for authentication and communication)
- Name (optional, for personalization)
- Company/brand name (for brand context)
- Password (hashed and encrypted; never stored in plain text)
- Billing and payment information (processed by third-party payment processors)
Brand Information: When you create “brands” in the platform, you may provide:
- Brand name and industry
- Brand description and voice guidelines
- Color palettes and design preferences
- Target audience information
- Brand pillars, positioning, and values
- Services offered and marketing objectives
Digital Assets (Images/Videos): You upload visual content to our Services, which we store and analyze to provide core functionality. These assets may include photographs, illustrations, graphics, videos, embedded metadata (EXIF data, geolocation, camera information), and any text, objects, or people visible in the images.
Important: Please use caution when uploading content. Do not upload images containing intimate, sensitive, or confidential personal information without appropriate authorization. Content uploaded to the Services is processed by AI systems for analysis and search functionality.
Communications: Messages sent through contact forms, email, chat, or customer support; survey responses and feedback; testimonials and reviews (with your permission).
Conversation Data: When you interact with Daryl, our AI assistant, we collect chat messages and search queries, conversation context during active sessions, and preferences expressed during conversations.
Note on AI Personalization: Daryl applies brand context and infers preferences to improve recommendations over time. This constitutes a form of automated analysis. It does not produce legally significant decisions about individuals. You may reset or delete stored preferences at any time via your account settings or by contacting privacy@damdaryl.ai.
1.2 Information We Collect Automatically
When you use our Services, we automatically collect device and usage information including IP address and general location (city, state, country), device type, operating system, browser type, pages viewed, features used, time spent, referring and exit pages, click data, and access times and dates.
We use cookies, web beacons, and similar tracking technologies to remember your preferences, authenticate your account, analyze usage patterns, and measure the effectiveness of our communications. See Section 12 for full cookie details and opt-out options.
1.3 Information from Third-Party Sources
If you connect third-party services such as Google Drive, we receive authorization tokens to access specified resources, file names and folder structures, and image files from folders you have explicitly granted us access to. We may also receive information from analytics partners that help us understand how you interact with our Services.
2. How We Use Your Information
2.1 Service Delivery and Operations
- Provide the Services: Create and maintain your account, authenticate your identity, and deliver core DAM functionality
- Asset Processing: Analyze uploaded images and videos using AI to extract metadata, generate descriptions, identify objects and text (OCR), analyze color palettes, assess mood and tone, and classify composition elements
- Search and Discovery: Generate semantic and visual embeddings to enable natural language search and visual similarity matching
- AI Assistant (Daryl): Power the conversational AI that interprets search queries, applies brand context, provides strategic asset recommendations, and suggests creative directions
- Storage and Backup: Securely store your digital assets and associated metadata
- Customer Support: Respond to inquiries, provide technical assistance, and troubleshoot issues
2.2 Service Improvement and Development
- Analyze usage patterns to develop new features and improve existing functionality
- Identify and resolve technical issues
- Monitor system performance, user engagement, and service reliability
- Evaluate new features and improvements
No Training on Your Content: We do not use your uploaded assets, brand information, or conversation data to train, fine-tune, or improve any generalized AI or machine learning model — whether operated by DAMdaryl or any third party. Your content is processed solely to provide the Services to you.
2.3 Communications
- Service Communications: Send essential account information, confirmations, technical notices, updates, security alerts, and administrative messages
- Marketing Communications: With your consent (where required by law), send newsletters, product announcements, and promotional materials
- Surveys and Feedback: Request your opinions about our Services
2.4 Security and Compliance
- Detect, prevent, and respond to fraud, abuse, security incidents, and harmful or illegal activities
- Enforce account security through authentication and authorization mechanisms
- Comply with applicable laws, regulations, legal processes, and governmental requests
- Enforce our Terms of Service and resolve disputes
2.5 Aggregated and De-Identified Data
We may create anonymous, aggregated, or de-identified data from the information we collect. We may use this data for research, analytics, product development, and marketing, and may share it with third parties. Such data cannot reasonably be used to identify you.
4. Data Security and Breach Notification
4.1 Security Measures
We implement appropriate technical and organizational measures to protect your information against unauthorized access, loss, destruction, or alteration. Measures include:
- Encryption: Data encrypted in transit (HTTPS/TLS) and at rest using industry-standard encryption
- Authentication: Secure authentication via Supabase Auth with bcrypt password hashing
- Authorization: Row-level security (RLS) policies ensuring users access only their own data
- Access Controls: Principle of least privilege for internal access to systems and data
- Infrastructure Security: Hosted on SOC 2 compliant infrastructure (Supabase, Vercel)
- API Security: API keys and secrets stored as environment variables, never exposed to clients
- Monitoring: Automated monitoring for security incidents and anomalous activity
Third-Party Certifications: Supabase (ISO 27001), Stripe (PCI DSS Level 1), Google Cloud Platform.
4.2 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify affected users without undue delay, and in any event within 72 hours of becoming aware of the breach, to the extent technically feasible
- Provide information about the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach
- Notify applicable supervisory authorities as required by applicable law (including GDPR Article 33)
To report a suspected security vulnerability or incident, contact: security@damdaryl.ai
5. Optional Third-Party Integrations
5.1 Google Drive Integration
Purpose: Import existing image libraries from Google Drive without manual upload. Data Accessed: File names, folder structure, image files in folders you select. Authentication: OAuth 2.0 via Google's secure consent flow. Data Storage: Imported images are copied to DAMdaryl, analyzed, and stored in our system. Your original Google Drive files remain unchanged.
Google API Disclosure: We access Google Drive solely to import files you specify. We do not use Google Workspace APIs to develop, improve, or train generalized AI or ML models.
5.2 Future Planned Integrations
We plan to offer additional optional integrations, including Instagram, Brandfolder/SharePoint, and Canva. When these become available, we will update this Privacy Policy and notify you of any additional data practices.
6. Data Retention
We retain your information for as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.
| Data Type | Storage Location | Retention Period |
|---|---|---|
| Account information | Supabase (PostgreSQL) | Until account deletion |
| Brand information | Supabase (PostgreSQL) | Until brand or account deletion |
| Uploaded assets (files) | Supabase Storage | Until asset or account deletion |
| Asset metadata and analysis | Supabase (PostgreSQL) | Until asset or account deletion |
| Search embeddings | Pinecone Vector Database | Until asset or account deletion |
| Active chat conversations | Session memory only | Cleared when session ends (not persisted) |
| Conversation preferences | Supabase (PostgreSQL) | Until account deletion |
| Billing and transaction records | Stripe / Supabase | 7 years (tax, accounting, and legal compliance) |
| Usage logs and analytics | Vercel / Internal systems | 90 days |
Upon Account Deletion: We will delete or anonymize your personal information within 30 days of a verified deletion request, except where retention is required for legal, tax, or regulatory purposes. Backups may persist for up to an additional 90 days before permanent deletion.
7. Your Rights and Choices
Depending on your location, you may have the following rights regarding your personal information:
7.1 Access and Portability
Request access to and a copy of the personal information we hold about you, in a structured, machine-readable format. Contact: privacy@damdaryl.ai. We currently support JSON export of asset metadata.
7.2 Correction and Update
Request correction of inaccurate or incomplete personal information. Most account and brand information can be updated directly in your account settings.
7.3 Deletion
- Delete individual assets through the asset management interface
- Delete brands through the brand management interface
- Request full account deletion by contacting privacy@damdaryl.ai
7.4 Objection and Restriction
Object to or restrict processing of your personal information, particularly for direct marketing or processing based on legitimate interests. Contact: privacy@damdaryl.ai.
7.5 Withdraw Consent
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Contact: privacy@damdaryl.ai.
7.6 Marketing Communications
Opt out of marketing communications at any time by clicking “unsubscribe” in any marketing email, adjusting communication preferences in your account settings, or contacting privacy@damdaryl.ai.
7.7 Automated Decision-Making
You have the right to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If you believe Daryl's recommendations have affected you in a significant way, contact privacy@damdaryl.ai to request human review.
7.8 Lodge a Complaint
For EU/EEA residents: Contact your local data protection authority or the lead supervisory authority in Ireland. For UK residents: Contact the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. For California residents: See Section 10 below. For all U.S. residents: You may contact the Federal Trade Commission at www.ftc.gov.
8. International Data Transfers
DAMdaryl is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our sub-processors operate.
Safeguards for International Transfers:
- For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission
- We are pursuing certification under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework
- Our sub-processors including Google Cloud Platform and Supabase participate in recognized data transfer frameworks
By using our Services, you acknowledge and consent to the transfer and processing of your information as described in this Privacy Policy.
9. Legal Bases for Processing (GDPR)
If you are located in the EEA, United Kingdom, or Switzerland, we process your personal information on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Contract Performance (Art. 6(1)(b)) |
| Providing core DAM Services | Contract Performance (Art. 6(1)(b)) |
| Processing payments | Contract Performance (Art. 6(1)(b)) |
| Customer support | Contract Performance (Art. 6(1)(b)) |
| Improving and developing the Services | Legitimate Interests (Art. 6(1)(f)) |
| Analytics and usage monitoring | Legitimate Interests (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate Interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Optional cookies and tracking | Consent (Art. 6(1)(a)) |
| Third-party integrations you authorize | Consent (Art. 6(1)(a)) |
| Tax and accounting record-keeping | Legal Obligation (Art. 6(1)(c)) |
| Responding to legal processes | Legal Obligation (Art. 6(1)(c)) |
You may withdraw consent for consent-based processing at any time without affecting the lawfulness of prior processing.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights.
10.1 Your California Rights
- Right to Know: Request disclosure of personal information collected, used, disclosed, or sold about you in the past 12 months
- Right to Delete: Request deletion of your personal information, subject to certain exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of your personal information for cross-context behavioral advertising
- Right to Limit Sensitive Personal Information: Where applicable, limit our use of sensitive personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
- Right to Data Portability: Receive your personal information in a portable format
10.2 Do Not Sell or Share My Personal Information
We do not sell your personal information for monetary consideration. We may “share” personal information (as defined by CCPA/CPRA) for cross-context behavioral advertising purposes through third-party cookies (see Section 12).
To opt out: Email privacy@damdaryl.ai with “Do Not Sell or Share” in the subject line. We will process your request within 15 business days.
10.3 How to Exercise Your California Rights
Submit a request by emailing privacy@damdaryl.ai with “California Privacy Request” in the subject line. Include your full name, email address, and the specific right you wish to exercise. We will respond to verified requests within 45 days, with a possible 45-day extension if necessary.
11. EU/EEA and UK — Additional Disclosures
11.1 Data Controller
DAMdaryl, LLC is the data controller for personal information processed under this Privacy Policy.
11.2 EU Representative
Pursuant to Article 27 of the GDPR, DAMdaryl has appointed an EU representative. Contact: eu-rep@damdaryl.ai
11.3 UK Representative
Pursuant to Article 27 of the UK GDPR, DAMdaryl has appointed a UK representative. Contact: uk-rep@damdaryl.ai
11.4 Data Protection Officer
For GDPR-related inquiries: dpo@damdaryl.ai
13. Data Processing Agreement (DPA)
Business customers who process personal data of EU/EEA/UK individuals or whose employees or clients are covered by applicable privacy laws may request a Data Processing Agreement by contacting privacy@damdaryl.ai. The DPA governs DAMdaryl's role as a data processor acting on your instructions and includes scope of processing, sub-processor obligations, security measures, breach notification commitments (72-hour notice), data subject rights assistance, data return and deletion upon contract termination, and Standard Contractual Clauses (SCCs) for international transfers.
14. Children's Privacy
The Services are not intended for anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If you believe we have collected information from a minor, please contact privacy@damdaryl.ai immediately and we will take prompt steps to delete it.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last Updated” date at the top of this policy
- Notify you by email or prominent in-app notice
- For significant changes, provide advance notice and an opportunity to review before the change takes effect
Your continued use of the Services after the effective date constitutes acceptance of the revised policy.
18. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
General Privacy Inquiries
privacy@damdaryl.aiSecurity Incidents / Vulnerability Disclosure
security@damdaryl.aiCustomer Support
support@damdaryl.aiData Protection Officer
dpo@damdaryl.aiEU Representative
eu-rep@damdaryl.aiUK Representative
uk-rep@damdaryl.aiMailing Address: DAMdaryl, LLC — United States
We will respond to general privacy inquiries within 30 days, and to formal data subject requests within the timeframes required by applicable law (typically 30–45 days depending on jurisdiction).
By using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and sharing of your information as described herein.